How Business, IT and Security Teams Gain a Common View of Risk DEVELOPED BY WITH CONTRIBUTIONS FROM In today's digital business ecosystem, information technology and security teams need to build more proactive and value-driven IT risk and IT compliance programs. They need to preserve business operations and their supporting technology environment, and protect regulated and sensitive information from security breaches and adverse events. They must ensure their organizations can perform exceptionally well in the face of political, environmental, competitive, regulatory and technology changes. In this illustration, we outline the five key areas in which business, IT and security teams need to ‘get on the same page’ in developing an integrated view of risk and resilience. 1 BUSINESS OPERATIONS Business Operations are highly dependent on automated and tightly integrated technology systems to support processes and interactions with 3rd parties and customers. To create an integrated risk framework, Business, IT and Security teams must co-develop: • Risk Appetite translated to required thresholds • Common, organization-wide language of risk supporting an analytics framework • Contextual Intelligence to identify risk threshold breaches and respond with agility REGION CUSTOMERS DASHBOARDS TRANSACTIONS VALUE CHAIN TASKS RELATIONSHIPS 5 THREAT INTELLIGENCE MANAGEMENT THREAT FEEDS WORKFLOW RULES FOCUS THREAT ASSESSMENT REMEDIATION DASHBOARD 2 CHANGE MANAGEMENT Business Resilience must be continuously optimized with planning and preparedness to support business operations and the technology environment. Business, IT and Security teams must vigilantly align on: • Business Impact Analysis with appropriate RTO and RPOs • High state of readiness with current plans and rigorous testing • Maximum responsiveness from employees, suppliers, third parties, customers and government agencies INVESTIGATIONS THREAT PATTERNS Threat Intelligence and Response must continuously evolve to adequately respond to risks and vulnerabilities across the IT landscape. IT and Security teams must align on: • Future-Ready assessments that leverage continuous monitoring of threat feeds • Threat Intelligence and analysis supported by machine learning and AI • Breach Readiness aligned with crisis and incident management DOCUMENTS CONTROL DASHBOARD LOW MED HIGH DATA 4 REGULATORY COMPLIANCE MANAGEMENT ASSETS IT RISK IOT IT COMPLIANCE REGULATORY INTELLIGENCE Regulatory ¬Compliance Management requires proactive analysis of regulatory requirements to business processes, information, third parties and the extended global and local technology environment. Teams must converge on: • A common understanding of global and local regulatory obligations • Harmonized control testing and reporting across all regulations • Agile regulatory management process to assess the impact of change REGULATORY AUDIT 3 TECHNOLOGY LANDSCAPE Technology Landscape – IT must ‘keep the lights’ on and continuously improve the landscape while adopting new technologies such as cloud, mobile, Artificial Intelligence and the Internet of Things. To lay the foundation that will support an integrated risk model, IT must work with business to define and keep current: • Business process maps with references to underlying technology apps, data and networks • Best Practices in GRC to protect sensitive and regulated information • Agile processes to adopt emerging technologies COMMON DRIVERS FOR BUSINESS, IT AND SECURITY RISK TEAMS Business, IT and Security Risk teams benefit from an integrated risk program that allows them to: Contact info@oceg.org for comments, reprints or licensing requests ©2017 OCEG for additional resources visit www.oceg.org/resources • Rapidly respond to risk with insight and agility to support better decisions • Gain visibility and context into the most urgent business risks across operations • Effectively serve finance, legal, corporate compliance, vendor management and operations • Manage a broad and dynamic landscape of 3rd parties, suppliers and customers